P063app-fip_usl.doc P-063 DZ/MY 10JAN02 



FIELD OF THE INVENTION 
The present invention relates to digital signature schemes in general, 
and in particular to the OSS signature scheme. 

BACKGROUND OF THE INVENTION 

Many signature schemes are based on the difficulty of solving a 
hard mathematical problem. With special knowledge, typically termed in the art 
knowledge of a "trapdoor", the mathematical problem can be solved easily. Easy 
solution allows one who knows the trap door to easily sign a document. The 
difficulty of anyone else, not knowing the trap door, solving the hard problem and 
thus forging the signature makes the signature reliable. 

The following references may assist in understanding the 
background of the present invention, and are referred to below according the their 
respective numbers: 

[1] L. Adleman, D. Estes, and K. McCurley, "Solving Bivariate 
Quadratic Congruences in Random Polynomial Time," Mathematics of 
Computation, v. 48, n. 177, Jan 1987, pp. 17-28. 

[2] D. Estes, L. Adleman, K. Kompella, K. McCurley, and G. 
Miller, "Breaking the Ong-Schnorr-Shamir Signature Scheme for Quadratic 
Number Fields," Advances in Cryptology: Proceedings of CRYPTO '85, Springer- 
Verlag, 1986, pp. 3-13. 

[3] A. Fiat and A. Shamir, "How to Prove Yourself: Practical 
Solutions to Identification and Signature Problems," Advances in Cryptology: 
Proceedings of CRYPTO '86, Springer- Verlag, 1987, pp. 186-194. 

[4] D. Naccache, "Can O.S.S. be Repaired? Proposal for a New 
Practical Signature Scheme," Advances in Cryptology: Proceedings of 
EUROCRYPT '93, Springer-Verlag, 1994, pp. 233-239. 

[5] National Institute of Standards and Technology, NIST FIPS 
PUB 186, "Digital Signature Standard," U.S. Department of Commerce, May 
1994. 
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[6] H. Ong, CP. Schnorr, and A. Shamir, "An Efficient Signature 
Scheme Based on Quadratic Equations," Proceedings of the 16th Annual 
Symposium on the Theory of Computing, 1984, pp. 208-216. 

[7] H. Ong, CP. Schnorr, and A. Shamir, "Efficient Signature 
5 Schemes Based on Polynomial Equations," Advances in Cryptology: Proceedings 
of CRYPTO '84, Springer-Verlag, 1985, pp. 37-46. 

[8] J. Pollard and C. Schnorr, "An Efficient Solution of the 
Congruence x 2 + k-y 2 = m mod n," IEEE Transactions on Information Theory, v. 
IT-33, n. 5, Sep 1987, pp. 702-709. 
10 [9] M. O. Rabin, "Digital Signatures and Public-Key Functions as 

Intractable as Factorization," MIT Laboratory for Computer Science, Technical 
Report, MLT/LCS/TR-212, Jan 1979. 
0 [10] R. L. Rivest, A. Shamir, and L. M. Adleman, "A Method for 

g Obtaining Digital Signatures and Public-Key Cryptosy stems ," Communications of 

m 15 the ACM, v. 21, n. 2, Feb 1978, pp. 120-126. 



chosen "randomly" (within certain specified constraints), and upper case letters 

(A, B, C, ...) to denote variables that are either directly or indirectly derived from 

these random variables. 

2. N is used to denote a composite modulus suitable for RSA; that 
25 is, the product of two large prime, secret factors. All operations will be in one of 

the three rings of integers: Z, Zn, and Z p (where p is an integer we will choose). 

With each step, we will clearly indicate in which ring the step is being performed. 

Additionally, to avoid confusion, we will use the notation x" 1 to denote the inverse 

of x in finite ring Zn or Z p (and y-x" 1 to denote y divided by x in Zn or Zp), while 
30 we will use the notation y/x to denote integer division (with truncation as needed) 

in Z. 




20 



throughout the present specification and claims. 

1. Greek symbols a, {3, y are used to denote variables that may be 



[11] US Patent 4,405,829 to Rivest et al. 
[12] US Patent 4,748,668 to Shamir et al. 

The following mathematical and related conventions are used 
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RSA refers to the well-known RSA signature scheme described, for 
example, in references [10] and [11]. 

Since, as is well known, multiplication does not associate with 
integer division, that is, x-(y/z) may not equal (x-y)/z, parentheses will be used as 
5 necessary to avoid ambiguity. For example- 
s') = 6 * 7 = (3-5)/2 

The OSS signature scheme, was proposed over 15 years ago in 
reference [6]. The OSS signature scheme was based on the supposed difficulty of 
finding solutions to quadratic bivariate equations in Zn, with the trapdoor allowing 
a legitimate signer to sign being structural knowledge of the coefficients that 
allowed factoring a constant term of the polynomial into linear expressions. For 
example, solving for x, y in the equation termed herein "the OSS equation": 

x 2 -V-y 2 -m = 0inZ N 

can be done with knowledge of S such that S" 2 = V in Z^: 

(x + yS- 1 >(x-y.S- 1 ) = m 

Decomposing the constant m into factors a and m-a" 1 for some 
randomly chosen invertible a in Zn, and solving the system of simultaneous linear 
equations: 

x + y-S" 1 = m-a" 1 x - y-S" 1 = a 
yields the solution: 
30 x = 2- 1 -(m-a 1 + a) y = T l -S- (m-a 1 - a) 
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Throughout the present specification and claims, the notation (a, b) 
is used to denote an ordered pair comprising a and b. The above problem is 
transformed to a signature scheme by allowing (V, N) to be the public key, S to be 
the private key, m to be the message digest to be signed, and (x, y) to be the 
signature. 

The OSS signature scheme was broken with the development of a 
random polynomial time method for solving bivariate quadratic equations in 
general, without the trapdoor knowledge; see references [1], [2], and [8]. This 
solution method is much less efficient than the solution method using the trapdoor, 
but still sufficiently tractable to render the OSS scheme unsecure for most digital 
signature purposes. 

The appeal of OSS, then and now, is that it requires a very small 
number of multiple precision multiplicative operations to sign, in contrast to most 
other secure public key signature methods based on either factoring or discrete 
logarithms. Some schemes, such as DSA, described in reference [5], also achieve 
this result when precomputation is allowed; that is, when not counting the work 
done prior to knowledge of the message to be signed. However, precomputation is 
not always operationally feasible. 

Many public key signature schemes, such as low exponent RSA, 
described in references [10] and [11], or Rabin, described in reference [9], can be 
very efficient for the verifier, but not for the signer. However, in certain contexts, 
particularly digital signature using a smart card, it is appreciated that the ability to 
sign efficiently is more important than the ability to verify efficiently. 

For the reason of efficiency, there have been many attempts to 
repair OSS with variants of various types, primarily retaining the flavor of the 
original OSS while introducing constructs or changing the domain so as to 
obstruct the attack on the original OSS. All such proposals have either been 
shown to be insecure, do not retain the appealing property of using a very limited 
number of multiplicative operations, or are of too recent vintage to be considered 
secure yet. 

For example, the original proposers of OSS generalized the problem 
by extending the domain from which the signature variables and coefficients were 



to be chosen from the rational integers to the quadratic integers, as described in 
reference [7], hoping that the attack method on the original form could not be 
applied in the new case. However, it was shown, as described in reference [2], 
that an instance of the extended problem may be polynomially transformed to the 
simpler domain, and the transformed problem can then be solved with the original 
attack. Thus, the quadratic integers variation does not overcome the weakness of 
the original OSS. 

Naccache, as described in reference [4], proposes two alternate 
approaches to securing OSS, taking advantage of the fact that the attacker has no 
control over the "structure" of the x and y returned by the OSS attack method. In 
the first of these approaches, the public key V is replaced by a non-polynomial 
function of x, thereby obstructing the attack method, which necessarily generates 
the x and y in parallel. He presents a practical example of a non-polynomial 
function in which the private key holder can solve the resultant equation. While 
this construct is sound and fairly efficient, it is very similar to the approach of the 
Fiat-Shamir signature scheme, described in references [3] and [12], in which a 
large number of "binary proofs" are effectively "aggregated", and the number of 
multiple precision multiplicative operations needed (as well as the number of keys 
needed) is proportional to the logarithm of the size of a secure search space. Thus, 
the first Naccache approach is not as efficient as the original OSS. 

In the second Naccache approach, Naccache proposes requiring the 
choosing of x and y in such a way that the random parameter upon which x and y 
are based must have a required structural form. It will be apparent to persons 
skilled in the art that the difficulty of constructing such a scheme is that the 
random parameter must be kept a secret in order to avoid compromising the 
private key. He presents an intuitive argument of how it might be possible to 
construct such a scheme, which would be more like the original OSS in terms of 
having a single key and would perhaps require a small number of multiplicative 
operations. Although this approach looks promising, the inventor of the present 
invention is not aware of any convincing results yet in this direction. 

There is thus a need for an effective and efficient approach to 

securing OSS. 



The disclosures of all references mentioned above and throughout 
the present specification are hereby incorporated herein by reference. 
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SUMMARY OF THE INVENTION 

The present invention seeks to provide an improved variant of the 
OSS signature scheme. 

The present invention, in a preferred embodiment thereof, uses yet 
another approach to securing OSS, by generalizing the original OSS equation to 
include approximations. Proof of the security of the preferred approach is not 
currently available, but the approach appears resistant to the types of attacks on 
OSS and OSS variants used until now. It is speculated that a different attack, from 
a somewhat different mathematical domain, would be needed to disprove its 
security. 

There is thus provided in accordance with a preferred embodiment 
of the present invention a method for digitally signing a message, the method 
including providing a message digest (M x , M z ), providing a modulus N, providing 
a number V in the ring Z N , wherein for another number S in the ring Z N , V-S 2 =l in 
Z N , solving the equation (M x + x) 2 - V-y 2 = 4-(M z + z) in Z N to produce x, y, and z, 
and assigning SIG as the signature of (M x , M z ), wherein SIG includes (x,y). 

Further in accordance with a preferred embodiment of the present 
invention SIG includes (x,y,z). 

Still further in accordance with a preferred embodiment of the 
present invention the solving includes the following: a) choosing a and p in Z 
such that 0 < a < p < 2 kA and gcd(a, p) = 1 in Z; b) choosing y in Z such that 2"^ 
< y < 2 n " k and p | (a-N + y) in Z; c) setting R equal to (a-N + y) / p in Z; d) setting 
T equal to -(M 2 -R + M x + R" 1 ) in Z N ; e) if p = 1 or T < 8-y (in Z), setting U and W 
equal to 0 and continuing with step k; f) setting D equal a 1 in Z p ; b) setting A 
equal to N / p in Z; h) setting B equal to (T - 8-y) / A in Z; i) setting U equal to 
BD in Z p ; j) setting W equal to U-R in Z N ; k) setting C (T - W) / y in Z; 1) 
setting z equal to U + p-C in Z N ; m) setting x equal to T - z-R in Z N ; and n) setting 
y equal to S-(x + M x + 2-R 1 ) in Z N , thereby producing x, y, and z. 

Additionally in accordance with a preferred embodiment of the 
present invention the method also includes providing a trusted computation device 



and a non-trusted computation device, and step d) includes performing a 
computation in the non-trusted computation device. 

Moreover in accordance with a preferred embodiment of the present 
invention the computation in the non-trusted computation device includes a 
5 computation of R" 1 . 

Further in accordance with a preferred embodiment of the present 
invention the computation in the non-trusted computation device is protected from 
tampering by performing a blinding method in the trusted computation device. 

Still further in accordance with a preferred embodiment of the 
10 present invention the method also includes verifying a result of the computation in 
the non-trusted computation device. 

Additionally in accordance with a preferred embodiment of the 
present invention step a) includes screening a and p. 
§5 Moreover in accordance with a preferred embodiment of the present 

§J 15 invention the screening includes reducing a and P modulo 210. 
m Further in accordance with a preferred embodiment of the present 

mvention the reducing a and p modulo 210 includes computing gcd(210, (a mod 
210), (P mod 210)) to produce a result, and rejecting a and P and choosing another 
a and p if the result is not equal to 1 . 
Q 20 Still further in accordance with a preferred embodiment of the 

present invention the solving includes the following: a) setting a equal to 0; b) 
setting P = 1; c) choosing y such that 2 n ' k_1 < y < 2 n ~ k ; d) setting T equal to -(M 2 *y + 
M x + y' 1 ) in Z N ; e) setting z equal to T / y in Z; f) setting x equal to T - z-y in Z N ; 
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and g) setting y equal to S-(x + M x + 2 -y" 1 ) in Z 



25 thereby producing x, y, and z. 

Additionally in accordance with a preferred embodiment of the 

present invention the method also includes providing a trusted computation device 

and a non-trusted computation device, wherein step d) includes performing a 

computation in the non-trusted computation device. 
30 Further in accordance with a preferred embodiment of the present 

invention the computation in the non-trusted computation device includes a 

computation of y' 1 . 



Still further in accordance with a preferred embodiment of the 
present invention the computation in the non-trusted computation device is 
protected from tampering by performing a blinding method in the trusted 
computation device. 

Additionally in accordance with a preferred embodiment of the 
present invention the method also includes verifying a result of the computation in 
the non-trusted computation device. 

There is also provided in accordance with another preferred 
embodiment of the present invention a message signer for digitally signing a 
message based on a message digest (M x , M z ), a modulus N, and a number V in the 
ring Z N , wherein for another number S in the ring Z N , V*S 2 =1 in Zn, the message 
signer including a solver for solving the equation (M x + x) 2 - V-y 2 = 4-(M 2 + z) in 
Z N to produce x, y, and z, and a signature assignor for assigning SIG as the 
signature of (M x , M z ), wherein SIG includes (x,y). 



BRIEF DESCRIPTION OF THE DRAWINGS 
The present invention will be understood and appreciated more fully 
from the following detailed description, taken in conjunction with the drawings in 
which: 

Fig. 1 is a simplified block diagram illustration of a method for 
signing a message digest in accordance with a preferred embodiment of the 
present invention; 

Figs. 2 A and 2B, taken together, comprise a simplified flowchart 
illustration of a preferred implementation of step 100 of Fig. 1; 

Fig. 3 comprises a simplified flowchart illustration of an alternative 
preferred implementation of step 100 of Fig. 1; and 

Fig. 4 is a simplified block diagram illustration of an apparatus 
suitable for implementing the method of Fig. 1. 
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DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 

In a preferred embodiment of the present invention, the OSS 
problem is generalized by adding a third variable z, with restricted range, to the 
right hand side of the OSS equation described above, thus effectively changing the 
OSS equation to an approximate equality. The system based on the approximate 
equality is also termed herein "Fuzzy OSS". At the same time a compensation is 
made by restricting the range of variable x, so that the number of solutions for any 
given key and message digest remains approximately the same as in the original 
problem, i.e., it remains approximately 0(N). 

Note that the approach of the preferred embodiment differs from the 
second Naccache approach presented above. In this case it is the value of x itself 
which is explicitly being restricted, rather than the relation between x and its 
generating random parameter being implicitly restricted, as in the second 
Naccache approach. The modified, or Fuzzy OSS, problem then appears as 
follows: 

Find a solution (x, y, z), in Zn x Zk x Zn, for the equation: 
(M x + x) 2 - V-y 2 = 4<M Z + z) in Zh 

termed herein the Fuzzy OSS equation, where: 

N is a given "RSA-type" modulus of length n bits (i.e., 2 n ~ l < N < 
2 n ) and secret factorization; 

x and z satisfy 0 < x < 2 n " k and 0 < z < 2 k+3 for a given k, 0 « 2-k < 

n; and 

M X5 M z , and V are given. 

Note that if k is allowed to approach 0 (as opposed to the 
requirement given above), this problem becomes computationally equivalent to the 
original OSS problem. 

A more general statement concerning x and z may be given as 

follows: 

0 < x < 2 U 
0<z<2 v 
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The requirements for u and v can be stated more generally as 

follows: 

• The sum u + v should be close to n. If it is considerably smaller than n, the 
solution methods given herein will not succeed most of the time. To the extent 
that it is greater than n, the problem will become easier for an attacker to solve 
(i.e., to "forge", even without knowing the secret). 

• The value of u should preferably be greater than or equal to n/2. If u is less 
than n/2, then the problem is still solvable, but the solution methods given 
herein need to be modified slightly, and some generality of solution is lost 
(with possible loss of security). 

• The value of v should not be "close" to either 0 or n. If v is close to 0, the 
problem may be transformed to an instance of the original OSS problem 
(which is not secure). If v is close to n, the problem is trivial to solve. 

Given the above guidelines, the choice of u = n-k and v = k+3 (with 
k < n/2, but k not close to 0) was chosen to allow the solution, described below, to 
always find a solution, without ever needing to retry. The addition of the small 
"offset" constant 3 in the exponent (or any such small offset) does not affect the 
essential difficulty of the problem. 

The Fuzzy OSS problem can be made into a signature scheme by 
allowing (V, N) to be the public key, S to be the private key (where V-S 2 = 1 in 
Zn), and (M x , M z ) to be the message digest to be signed. The signature of (M x , 
M z ) is the triple (x, y, z); however, since z can be easily and deterministically 
computed from (x, y) without knowledge of the private key, it does not need to be 
sent or even calculated by the signer. In the solution method presented below, z 
will be computed because its value is needed as an intermediate value in the 
calculation of x and y. The discussion below, with reference to Fig. 2, will show 
how knowledge of the private key S allows a relatively efficient solution to this 
problem. 

Reference is now made to Fig. 1 which is a simplified block 
diagram illustration of a method for signing a message digest in accordance with a 
preferred embodiment of the present invention. The method of Fig. 1 is self- 
explanatory with reference to the above discussion, except as follows. Preferably, 
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in step 100, a method is provided to solve the Fuzzy OSS equation, based 
preferably on secret knowledge of a key S as described above. 

Reference is now made to Figs. 2A and 2B, which, taken together, 
comprise a simplified flowchart illustration of a preferred implementation of step 
100 of Fig. 1. 

As mentioned above, operations described below will be performed 
in three different rings: Z, Zn, and Zp (where p will be chosen). For each step, the 
ring in which to perform the operation will be noted. 

The method of Figs, 2A and 2B preferably comprises the following 

steps: 

Step 110: Choose a and p in Z such that 0 < a < p < 2 k " ] and gcd(a, 
p) = 1 (in Z) 

Step 120: Choose y in Z such that 2 n_k - i < y < 2 n ' k and p | (ct-N + y) 

(inZ) 

Step 130: Set R <- (a-N + y) / p (in Z; i.e., integer division) 
Step 140: Set T ~(M Z -R + M x + R" 1 ) (in Z N ) 
Steps 150 and 155: If p = 1 or T < 8-y (in Z), set U,W <- 0 and go 
directly to step 210. 

Step 160: Set D a" 1 (in Z p , not in Z N ; i.e., a-D = 1 in Z p ) 
Step 170: Set A <~ N / p (in Z; i.e., integer division with 

truncation) 

Step 1 80: Set B (T - 8-y) / A (in Z; i.e., integer division with 

truncation) 

Step 190: Set U B*D (in Z p , not in Z N ) 
Step 200: SetW^U-R (inZ N ) 

Step 210: Set C <~ (T - W) / y (in Z; i.e., integer division with 

truncation) 

Step 220: Setz^-U + p-C (inZ N ) 
Step 230: Setx^-T-z«R (inZ N ) 
Step 240: Set y <~ S-(x + M x + 2-R" 1 ) (in Z N ) 
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The method of Figs. 2A and 2B is now briefly described. A proof 
of correctness of the method of Figs. 2A and 2B is provided below. 

The general form of a solution to the Fuzzy OSS equation (ignoring, 
for the moment, the inequalities that must also be satisfied for x and z), is: 

(M x + x) = ±(R~ 1 4-(M 2 + z>R) and y = ±S-(R _1 - (M z + z>R) 

If we arbitrarily choose the in the ±, and set T equal to a 
common subexpression: 

T = -(M r R + Mx + R~ ! ) 

then steps 140, 230, and 240 follow immediately. 

In other words, it is simply a matter of algebraic manipulation to 
find x, y, and z that satisfy the Fuzzy OSS equation; such x, y, and z will not 
necessarily satisfy the required additional inequalities. Steps 140, 230, and 240 
guarantee that the equation is satisfied for any arbitrarily chosen R and z. The 
purpose of the other steps is to guarantee that the inequalities will also be satisfied. 
More specifically: 

• Steps 110 - 130 have the purpose of choosing an R such that for any M x and 
M z it will be possible to find a z such that not only the Fuzzy OSS equation, 
but also the inequalities on x and z, are satisfied. 

• Given that choice of R, steps 150 - 220 have the purpose of choosing such a z. 

The following is intended to be an intuitive, informal argument of 
why the method of Figs. 2A and 2B works; a formal proof is provided below. In 
this informal description, we will use terms like "small" (and "close") to denote 
values (and differences of values) that are much smaller than the modulus N. By 
this convention, for example, x and z would be considered "small", although they 
are usually very large numbers. 

Regarding the choice of R (steps 110 - 130), note that eventually 
z-R = T-x in Zn (by step 230). Since x and z both are required to be "small", this 
is really equivalent to saying that R should be chosen such that for any resultant T, 
it is possible to find a "small" z such that z-R is "close" to, but less than, T. This 
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can be done, as described below with reference to steps 150 - 220, when R is 
chosen according to steps 110-130. 

Now, given that choice of R, we need to find "small" z such that z-R 
mod N is "close" to T (since x = T - z-R mod N must be small). This is actually 
done in two stages: 

• Steps 160 - 190 compute a "coarse estimate" U of z, actually aiming to find a 
value U such that U-R sT-8-y mod N, i.e., actually slightly less than T. 

• Steps 200 - 220 compute an error term (T - U-R) mod N, and from that term 
derive a "fine correction" p-C to be added to the coarse estimate U in order to 
produce the actual z value. 

In steps 150 and 155, T is checked to see if it is "small". If the T is 
"small", then the coarse estimate U for z is taken as zero, steps 160 - 200 may be 
skipped, and the fine correction becomes the foil value of z. 

The efficiency of the method of Figs. 2A and 2B will be analyzed 
below. In the analysis, it will be noted than an even much more efficient solution 
than the method of Figs. 2A and 2B exists based on p = 1 or at least p "small". 
However, there is some question whether the method thus restricted is as secure, 
since it generates solutions with far less generality, within the entire solution 
space, than the above method. 

A proof of correctness of the method of Figs. 2 A and 2B is now 
offered as follows. 

The following is asserted to be true: 



[Al] (M x + x) 2 - V-y 2 = 4<M Z + z) in Z N 



[A2] 0<x<2 n4c 
[A3] 0<z<2 k+3 
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The items asserted to be true are also termed herein "assertions". 

The following simple lemmas concerning properties of integer 
division, with truncation as necessary, are presented without proof. All variables 
are positive integers: 

[LI] 0 < (x-y) / z - x-(y/z) < x 

[L2] 0<(x + y)/z-(x/z + y/z)<l 

[L3] x<z => (x-y)/z<y 

[L4] w = x (mod z) => (w-y) / z = (x-y) / z (mod y) 

[L5] y<x => x/(x/y)<2-y 

[L6] (((x.y)/z)/y>z<x 

The following lemma concerning the relationship between W and T 
is now presented with proof; the lemma will be need needed for the proofs of 
assertions [A2] and [A3] above: 

[L7] W < T, and either p = 1 or (T - W) < (15-2 w -y) / p 
Proof, 

Note: In this proof, and in the proofs of the assertions mentioned 
above that follow, when evaluating variables such as W, x, or z that are evaluated 
modulo N, in the interest of simplifying the notation, any multiples of N that 
implicitly appear are dropped additively at the highest level of the equality , rather 
than carrying them through and dropping them at the end. Note especially the 
point concerning dropping at the highest level: If x = y + N-z, x = y may be 
written, but it is not valid to write x = y/w in place of x = (y + N-z)/w]. 



16 



ffi 

m 



10 



33 15 



If p is chosen to be 1, then W is set to 0 (steps 150 and 155 of the 
method of Figs. 2 A and 2B), so the result immediately follows. 

Likewise, if (at step 150 of the method) T < 8-y, then W is set to 0, 
and again the result follows almost immediately, since p < 2 k " x . 

Otherwise: 

{ Step 200} 
{ Step 130} 

{ 0 < s, < U; Lemma [LI] } 



W = U-R 
= U-((a-N + y)/p) 
= (U-(a-N + y))/p- Si 
= (U-a-N + U-y)/p-£, 
= (U-a-N)/p + (U-y)/p - s, + s 2 
= (U-a-N)/p - s, + s 2 + e 3 
= (B-D-a-N)/p - £l + s 2 + £ 3 
= (B-N)/p - s, + s 2 + s 3 
= B-(N/p) - si + £ 2 + £ 3 + £ 4 
= B-A - £] + £ 2 + £ 3 + g 4 
= ((T - 8-y)/ A) A - £l + £ 2 + £ 3 + £ 4 
= (T - 8-y) - £j + £ 2 + £ 3 + s 4 - £ 5 



{ 0<£ 2 < 1; Lemma [L2] } 
{ 0 < £ 3 < y; Lemma [L3] } 
{ Step 190; Lemma [L4] } 
{ Step 160; Lemma [L4] } 
{ 0 < £ 4 < B; Lemma [LI] } 
{ Step 170} 
{ Step 180} 

{ 0 < £ 5 < A; Lemma [LI] } 



So T — W = 8-y + £] + s 5 — £ 2 - g 3 — g 4 . since all of the £ ; are non- 
fU 20 negative, we will have proved our lemma if we can show that: 



[a] £ 2 + £ 3 + £ 4 < 8-y, and 
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[b] 8-y + Sl +£ 5 < (15-2^7) /p 
Proof of [a]: 



B=(T-8-y)/A 
<N/A 
30 =N/(N/p) 
<2-p 



{ Step 180} 

{ Step 170} 

{ Lemma [L5] } 
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< 2-y 

So s 2 + e 3 + s 4 < 1 + y + B < 8-y 
Proof of [b]: 

A = N/p {Step 170} 

<2 n /j3 

= (4-2 k " 1 -2 n - k - 1 ) / p 

< (4-2 k " 1 -Y)/p 

Also, U < p < y, and p < 2 k " ] (and thus x < (x-2 kA ) I p for any x) 

So 8-y + s, + e 5 < 8-y + U + A < (15-2 k " 1 -y) / p 

Proof of assertions [Al], [A2], and [A3], using lemma [L7] where 

necessary: 

[Al] (M x + x) 2 - V-y 2 = 4-(M z + z) in Z N 
Proof. 

(M x + x) 2 - V-y 2 = (M x + T - z-R) 2 - V-S 2 -(x + M x + 2-R" 1 ) 2 
= ((M z + z)-R + R" 1 ) 2 - (T - z-R + M x + 2-R" 1 ) 2 
- ((M z + z)-R + R" 1 ) 2 - ((M z + z)-R - R" 1 ) 2 
= 4-(M z + z) 
[A2] 0<x<2 n " k 
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Proof. 



x = T-z-R {Step 230} 

= T-(U + p.C>R {Step 220} 

= (T - U-R) - (P-R>C 

= (T-W)-yC {Step 130} 

= (T-W)-y.((T-W)/y) {Step 210} 

< y 

< 2 n_k 



[A3] 0<z<2 



k+3 



{ Lemmas [LI], [L7] } 



Proof. 

Ifp = 0, thenU = W = 0, so: 

z = U + p-C {Step 220} 

- C 

= (T-W)/y {Step 210} 

= T/y 
: N/2 n - k - ] 
: 2 k+3 

Otherwise, by Lemma [L7], (T - W) < (lS-y^yp, s 

= U+ P-C {Step 220} 

U + ((T-W)/y>p {Step 210} 

P + ((T-W)/y>p {Step 190} 

P + (((lS-y^- 1 ) / P) /y).p { Lemma [L7] } 

P + 15 ' 2k_1 { Lemma [L6] } 
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= 2 k+3 



The efficiency of the method of Figs. 2 A and 2B is now analyzed. 

As will be appreciated by persons skilled in the art, there are a 
limited number of multiple precision multiplicative operations involved in the 
method of Figs. 2A and 2B, although more than in the original OSS. Some of the 
operations are multiplications and some are divisions. Among the divisions, some 
are in Z (division in Z is comparable in efficiency to multiplication) and some are 
in a finite ring Zn or Z p (division in a finite ring is more time-consuming than 
multiplication). 

Here are some other observations concerning the efficiency, 
referring to the steps of Figs. 2A and 2B: 

Step 150 costs very little (just a multiplication by a very small 

constant). 

Steps 120 and 130 can essentially be combined, since y and R can 
be found in a combined process in which y is chosen arbitrarily, a-N-Hy is divided 
by p to obtain the quotient (R) and the remainder, the latter being used to refine 
the choice of y so that a-N+y is divisible by p. 

Steps 110 and 160 can be combined, since the gcd method can also 
yield the inverse. 

R" 1 does not need to be evaluated for step 240, since it was already 
evaluated for step 140. 

Since the modulus N is public, the inverting of R with respect to N 
may be delegated to a more powerful non-secure processor (if available) by 
"blinding" the R with a random multiplicative factor in Zn (Naccache also notes 
this; see reference [4]). 

Blinding involves performing some transform on secret data before 
exposing it, in a way that the transform hides the original value(s). In the case of 
taking the inverse of a non-zero value x in the field Z P (P prime), the value x may 
be blinded by multiplying it by an arbitrary non-zero r in Z P : 
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y <— r-x (in Zp) 

Now since 3; can have, with equal probability, any value in Z P , it does not need to 
be kept secret; revealing y can not possibly reveal anything about x (which is 
secret). Any "non-trusted" computer may be asked to invert y in Zp; 

z <-y~ l (inZp) 

The inverse of the original x in Zp may then be recovered by multiplication: 
x" 1 <— r-z (in Z P ) 

This last step is sometimes called unblinding, that is, an inverse operation that 
undoes the original blinding. 

Note that the "non-trusted" computer may be non-trusted in two 

senses: 

• Not to be trusted with the secret value of x. 

• Not to be trusted to compute the inverse correctly (it may be possible to 
perform some sort of "fault attack" by supplying an incorrect inverse, and 
seeing the eventual result). A "fault attack" is an attack in which one of the 
protocol partners or some external observer intentionally introduces an error 
into the protocol to observe the processing on the faulty data, hoping thereby to 
gain some information. Such an attack attempts to take advantage of the fact 
that some otherwise secure protocols are not robust enough to avoid leaking 
secrets when handling non- valid data such as, for example, out of range data. 

To protect against the first point of non-trust, blinding is preferably 
used, as described above. To protect against the second point of non-trust, the 
secret computer (the one that did the blinding and unblinding) should check the 
result before proceeding: 

x-x' 1 =? 1 (in Z P ) 

Note that we assumed P is prime, which is necessary to achieve 
absolute blinding. If P is not prime, then if y is not relatively prime to P, this will 
not work. However, since RSA-type moduli are the product of two extremely 
large primes, the chance of any "randomly" chosen number (or the product of two 
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such numbers) not being relatively prime to the modulus is infmitesimally small, 
and the blinding may be treated as absolute for all practical purposes. 

The advantage of blinding, in our context, is that for "infinite 
precision" (large number of digits) numbers, modular division and modular 
inversion (while tractable, unlike modular root extraction) are considerably more 
time-consuming than modular multiplication. If the secure computer is relatively 
weak (for example, a smart card), then given the availability of a powerful but 
non-secure computer to perform the blinded inversion, it may be more efficient to 
perform all of the following: 

• Three modular multiplications (blinding, unblinding, and confirmation) in the 
secure computer. 

• A modular inversion in the non-secure computer. 

• A data transfer in each direction. 

than to perform a single inversion in the secure computer. 

The expected number of retries in step 110 until a and p are chosen 
to be relatively prime is small, since for any randomly chosen pair (a, J3) of 
integers, the probability P of their having a common factor greater 1 satisfies: 

P < 1/2 2 + 1/3 2 + 1/5 2 + 1/7 2 + 1/1 1 2 + ... 
= (1 + 1/2 2 + 1/3 2 + 1/4 2 + 1/5 2 + ...) - (1 + 1/4 2 + 1/6 2 + 1/8 2 + 1/9 2 + ...) 
= n 2 /6 - (1 + 1/4 2 + 1/6 2 + 1/8 2 + 1/9 2 + ...) 

From evaluating a small number of terms, it can be seen that P < 
0.5, so the expected number of retries is less than 1. 

Another way of stating the above result is to say that the expected 
value of <P(f3)/p\ where 0>() is the Euler totient function and 0 is chosen randomly 
from some large range of integers, is slightly greater than 0.5. We will also make 
use of this fact in the following section when discussing the security of the 
method. 
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The task of choosing a and p until a relatively prime pair is found 
may be additionally sped up by pre-screening with a very quick test that yields a 
small number of false positives. Randomly choose a pair (a, P), and then evaluate: 

gcd(210, (a mod 210), @ mod 210)) 

If the value of the evaluated expression is equal to 1, then a and P 
have no common factor of 2, 3, 5, or 7, and they are with high probability 
relatively prime. (At this point it is necessary to perform the real gcd of a and p to 
eliminate any false positives, and this will also yield the inverse of a in Zp, as 
noted above.) The remainder (modulo) of any number with respect to 210 can be 
evaluated very quickly on almost any processor, since 210 fits in a single byte. 

Reference is now additionally made to Fig. 3, which is a simplified 
flowchart illustration of an alternative preferred implementation of step 100 of 
Fig. 1. In the preferred embodiment of Fig. 3, as compared to the preferred 
embodiment of Figs. 2A and 2B, a number of steps of Figs. 2A and 2B, those 
between 160 and 200 inclusive, may be eliminated altogether by choosing (a, p) = 
(0, 1). The method of Fig. 3 is also termed herein "the restricted method' 5 . 

When p is chosen to be 1, the restricted method reduces to the 
following steps: 

Step 250: Choose y such that 2 n_k " 1 < y < 2 n4c 

Step 260: Set T <- -(M z -y + M x + y 1 ) (in Z N ) 

Step 270: Set z T / y (in Z; i.e., integer division with 

truncation) 

Step 290: Setx^-T-z-y (inZ N ) 

Step 300: Set y <- S-(x + M x + 2-y" 1 ) (in Z N ) 

Even if p is not chosen to be 1, it will be appreciated that a large 
number of steps of the method of Figs. 2A and 2B (1 10 - 130, 160 - 200, and 220) 
are monotonically related in efficiency to the size of p, so they will be very 
efficient if p is much smaller than the modulus. Only steps 140, 210, 230, and 240 
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remain costly independent of the size of p. In the following discussion, however, 
speculation is raised on the possible security impact of choosing p = 1 or p small. 

The security of the method of Figs. 1, 2A, and 2B is now discussed. 

Attacks on proposed signature schemes typically take one of two 

forms: 

1 . A tractable method for signing even without knowledge of the 

private key. 

2. A method for uncovering the private key, or at least information 
that allows signing, from information leaked in a set of solutions generated with 
the private key method. 

The two attack possibilities are now considered in turn. 

The original OSS fell to an attack of the first kind. It is difficult to 
speculate whether or not this attack could be extended to the Fuzzy OSS problem. 
Note, however, that in the extreme case where k is allowed to approach 0, the 
Fuzzy OSS problem converges to the original problem. Thus it seems more likely 
that any attack along these lines would incorporate the original OSS attack in some 
way, possibly in conjunction with some lattice methods, rather than being entirely 
independent of it. Alternatively, perhaps such an attack would involve a 
transformation of any Fuzzy OSS problem to an original OSS problem. 

In general, the second kind of attack described above can be avoided 

when: 

An arbitrary number of problems and corresponding solutions can 
be generated for any public key, assuming freedom over the choice of the message 
digest, in this case (M X5 M z ); and 

there is exactly, or very nearly, a one-to-one correspondence 
between the random parameters, and the solutions generated therewith according 
to the private key method, on the one hand, and the entire solution space on the 
other hand, as is the case with the original OSS. 

The first of the two conditions above clearly holds with the Fuzzy 
OSS problem, as can be easily seen from the Fuzzy OSS equation. Regarding the 
second item, when there is considerable loss of generality such as, for example, 
when the private key method generates only a fraction of the total solution space 
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or generates certain solutions with significantly higher probability than others, 
some information is leaked. The ability to utilize that leaked information for a full 
attack can be highly dependent upon the structure of the private key method and 
that of the missing generality. It will be shown below that, for the Fuzzy OSS 
problem and the private key method presented herein, the solution space of the 
private key method is only "slightly" less general than the total solution space, by 
a factor of 2 j for some very small j. There will be no attempt to analyze here 
whether it is possible to exploit that lack of generality. 

First note that if (x, z) is chosen randomly (there are 2 n+3 such 
random choices, according to the restrictions on the size of x and z), then there is, 
with probability 1/4, a total of four y values for which (x, y, z) is a solution, and 
with probability 3/4, no such y values. Thus the total true solution space (as 
opposed to the solution space generated by our private key method) has a size of 
approximately 2 n+3 . 

Now consider the set of all solutions generated by the private key 
method presented in the present specification. First consider the set of all valid (a, 
p, y) that may be chosen according to the restrictions given, referring to the above 
description of the method of Fig. 1 and Figs. 2A and 2B. Note that for a given 
choice of p there are 0((3) possible choices of a, where <J>() is the Euler totient 
function, and for each (a, J3) an average of 2 n4c_1 /p (here we are dealing with real 
numbers rather than integers) possible choices of y. This means that for each p 
that may be chosen, there are approximately 2 n " k " 1 • <D(p)/p possible choices of (a, 
y). Since there are 2 kA possible choices of p, and it has been shown above that the 
expected value of <D(P)/p is slightly greater than 0.5, the total number of possible 
choices of (a, p, y) is approximately (actually slightly greater than) 2 n " 3 . 

Next, it will be shown that there is a one-to-one correspondence 
between choice triples (a, p, y) and solution triples (x, y, z). It is clear from the 
method description that each such choice triple yields a single solution triple, since 
the method is deterministic from after the point of selection of the choice triple, 
but it also needs to be shown that distinct choice triples yield distinct solution 
triples. First note that: 



25 



so each solution triple is associated with a single R; we then need to show only 
that each R is associated with a single choice triple. 

Suppose two choice triples (oc l5 p l5 yO and (a 2 , p 2 , 72) yield the same 
R. This means that: 

(a r N + Yl )/p 1 = (a 2 .N + 7 2 )/p 2 
or equivalently: 

(a,-p 2 >N + (y r p 2 ) = (a^O-N + ( y2 .p,) 
Since: 

0<p l5 p 2 <2 k ^ and 0 < y 1? y 2 < 2 n ' k and 2 n " i <N 
it follows that: 

0<y r p 2 <N and 0<y 2 -p!<N 
and so: 

a r p 2 = a 2 -Pi and y r p 2 = y 2 -pi 
Since: 

P 2 |(a 2 *p 1 ) and gcd(p 2 , a 2 )=l 
therefore: 

P 2 j Pi (and likewise pi | p 2 by an analogous argument) 
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Thus: 



(ai, Pb Yi) = (a 2 , p 2 , y 2 ) 

Thus, it has been shown that there is a one-to-one correspondence 
between choice triples and values of R, and together with the earlier argument, 
shown that there is a one-to-one correspondence between solution triples of the 
private key method and choice triples. Since there are approximately 2 n ' 3 choice 
triples, as described above, as opposed to 2 n+3 solution triples, approximately 6 bits 
of generality are lost by the private key method. It is actually possible to tighten 
this slightly so that slightly fewer bits of generality are lost, but both the method 
and its proof become messier, and occasionally retries are necessary. The details 
are omitted here. 

As a final point, it was noted above that the efficiency of the method 
may be improved by choosing (a, p) = (0, 1), as in the method of Fig. 3, or at least 
choosing p to be "small". However, when P is chosen to be much smaller than 
2 k "\ this significantly reduces the generality of the solution, that is, the ratio of 
solutions produced by the method to the true total number of solutions, and may 
impact the security. If k is chosen to be relatively small compared to n, the 
modulus size, but still significantly greater than 0, for example, n = 1024, k = 128, 
then a P of approximately k bits may be chosen without losing generality of the 
solution. This is because the greater freedom of y, approximately n-k bits, offsets 
the loss of generality in p. This appears to be a way to improve performance, by 
working with a relatively small p, without sacrificing the generality of the 
solution. However, note that the signature size is (2-n - k) bits, since it does not 
need to explicitly include z, as we noted earlier, and therefore reducing k for a 
fixed n increases the signature size. 

Summarizing the above points: 

Assuming freedom in the choice of the message digest, an arbitrary 
number of problems and their corresponding solutions can be generated for any 
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public key. Therefore, a private key method that covered the true total solution 
space with perfect generality and uniformity would leak no information. 

The presented private key method does not completely cover the 
true total solution space, but it comes within several bits of doing so. Moreover, 
the coverage, although not totally general, is uniform, that is, there is one-to-one 
correspondence between choice parameters and generated solutions. 

There is no obvious way to exploit the indicated small lack of 
generality in order to learn how to sign from seeing a number of signatures, 
because of the complex, non-linear, in fact, non-polynomial, relationship between 
the choice parameters and the solutions. 

The more promising attack approach would seem to be trying to 
find a way to solve the equation without any knowledge of the private key (as with 
the original OSS attack). Such an approach would be at least as difficult as the 
original OSS attack, since Fuzzy OSS converges to OSS as k -> 0. The attack 
might consist of a way of performing a polynomial-time transformation of a Fuzzy 
OSS problem to an OSS problem. 

Without limiting the generality of the present invention, it is 
appreciated that the present invention may be implemented in software on any 
appropriate hardware platform, and may also be implemented, for example, in 
firmware or in appropriate special-purpose hardware. Reference is now made to 
Fig. 4, which is a simplified block diagram illustration of an apparatus suitable for 
implementing the method of Fig. 1. The apparatus of Fig. 4 is self-explanatory. 

It is appreciated that various features of the invention which are, for 
clarity, described in the contexts of separate embodiments may also be provided in 
combination in a single embodiment. Conversely, various features of the 
invention which are, for brevity, described in the context of a single embodiment 
may also be provided separately or in any suitable subcombination. 

It will be appreciated by persons skilled in the art that the present 
invention is not limited by what has been particularly shown and described 
hereinabove. Rather the scope of the invention is defined only by the claims 
which follow: 
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